Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

Increased security visibility through new Standard Logs in Microsoft Purview Audit

arishojaswi's avatar
arishojaswi
Icon for Microsoft rankMicrosoft
May 20, 2024

Microsoft Purview Audit provides an integrated solution to help organizations effectively respond to security incidents, forensic investigations, internal investigations, and compliance obligations. As announced in the previous Microsoft blogs in July 2023 and October 2023, Microsoft Purview Audit is expanding access to wider cloud security activity logs. As part of the changes, Audit (Standard) license holders will be able to access an additional 30 audit logs that were previously generated only for Audit (Premium) license holders. Eleven new Standard logs under Stream and Viva Engage workloads became Generally Available in November 2023. 

 

We are excited to announce that the remaining 19 new Standard logs under Exchange, Microsoft Teams, and SharePoint Online workloads are now available in Public Preview to all Worldwide and Gov cloud customers. To learn more about when these logs will become Generally Available in your tenant, please visit the Public roadmap. 

 

Overview of New Standard Logs 

19 new Standard logs are now available in Public Preview under Exchange, Microsoft Teams, and SharePoint Online workloads. The following table provides details of these logs. 

 

Workload 

Operation 

Description 

Exchange 

send 

A message was sent, replied to or forwarded. 

mailitemsaccessed 

Messages were read or accessed in mailbox. 

searchqueryinitiatedexchange 

Triggered when a user searches for items in an Exchange mailbox. 

Teams 

meetingparticipantdetail 

Teams added information about the participants of a meeting, including the user ID of each participant, the time a participant joined the meeting, and the time a participant left the meeting. 

messagesent 

A new message was posted to a chat or channel. 

messageslisted 

Messages from a chat or channel were retrieved. 

meetingdetail 

Teams added information about a meeting, including the start time, the end time, and the URL to join the meeting. 

messageupdated 

A message of a chat or channel was updated. 

chatretrieved 

A Microsoft Teams chat was retrieved. 

messageread 

A message from a chat or channel was retrieved. 

messagehostedcontentread 

Hosted content in a message, such as an image or a code snippet, was retrieved. 

subscribedtomessages 

A subscription was created by a listener application to receive change notifications for messages. 

messagehostedcontentslisted 

All hosted content in a message, such as images or code snippets, was retrieved. 

chatcreated 

A Teams chat was created. 

chatupdated 

A Teams chat was updated. 

messagecreatednotification 

A change notification was sent to notify a subscribed listener application of a new message. 

messagedeletednotification 

A change notification was sent to notify a subscribed listener application of a deleted message. 

messageupdatednotification 

A change notification was sent to notify a subscribed listener application of an updated message. 

SharePointOnline 

searchqueryinitiatedsharepoint 

Triggered when a user searches for items in SharePoint sites of the organization. 

 

The following 11 new Standard Logs under Stream and Viva Engage workloads are Generally Available. 

 

Workload 

Operation 

Description 

Stream 

streaminvokegettranscript 

A transcript was extracted from Microsoft Stream. 

streaminvokechannelview 

This event tracks when a user views a channel in Microsoft Stream. 

streaminvokegettexttrack 

Accessing or retrieving text tracks (such as captions or subtitles) associated with a video in Microsoft Stream. 

streaminvokegetvideo 

Video content was invoked on Microsoft Stream. 

streaminvokegroupview 

A group was viewed on Microsoft Stream. 

Viva Engage (Yammer) 

threadviewed 

User views a thread on Viva Engage. 

threadaccessfailure 

User failed to access a thread on Viva Engage. 

messageupdated 

User updates a message in Viva Engage. 

fileaccessfailure 

User failed to access a file in Viva Engage. 

messagecreation 

User creates a message in Viva Engage. 

groupaccessfailure 

User failed to access a group in Viva Engage. 

 

Premium insights available for Audit (Premium) users 

Audit (Premium) license holders will continue to get longer default retention, broader access to export data, higher bandwidth API access, and logs enriched by Microsoft’s AI-powered intelligent insights. If your organization has users with an Audit (Premium) license, they will generate the following logs with additional data described in the Premium Insight column below. 

 

Workload 

Operation 

Premium Insight 

Exchange 

mailitemsaccessed 

SensitivityLabel 

Teams 

meetingparticipantdetail 

IsJoinedFromLobby, ArtifactShared 

 

messageslisted 

AppAccessContext 

messageupdated 

ParticipantInfo, AppAccessContext 

chatretrieved 

AppAccessContext 

messageread 

AppAccessContext 

messagehostedcontentread 

AppAccessContext 

subscribedtomessages 

AppAccessContext 

messagehostedcontentslisted 

AppAccessContext 

chatcreated 

AppAccessContext 

chatupdated 

AppAccessContext 

messagecreatednotification 

AppAccessContext 

messagedeletednotification 

AppAccessContext 

messageupdatednotification 

AppAccessContext 

 

Enable Exchange Mailbox Logging 

The Exchange MailItemsAccessed and Send logs are enabled by default unless the mailbox’s DefaultAuditSet setting was modified. To ensure these new standard logs are generated, an admin may need to ensure the appropriate mailbox settings are enabled. 

The following command can be used to check if a mailbox is currently using the default audit settings: 

 

 

 

 

Get-Mailbox -Identity <MailboxIdentity>

 

 

 

 

 

The DefaultAuditSet property returned by the Get-Mailbox cmdlet; a mailbox using the defaults will show the following result: 

DefaultAuditSet : { Owner, Admin, Delegate }

 

If any of those values are missing, the mailbox is not using the default audit settings. 

 

If any changes were previously made to the default mailbox settings for a Standard user, an update must be made to enable the new standard Exchange logs for each mailbox. To ensure the new standard Exchange logs MailItemsAccessed and Send are stored, admins will either need to make sure Audit mailboxes are configured to the default settings or add the new standard logs to each mailbox. The following changes can be made in Exchange Online PowerShell. 

 

Option 1: Reset each mailbox to the default settings 

Any previous customizations, like auditing of MailboxLogin, will be reset once the mailbox is using the default settings. The following command will re-enable the default audit settings for the mailbox: 

 

 

 

 

Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet Admin,Delegate,Owner 

 

 

 

 

 

 Option 2: Add the new standard logs to each mailbox 

If you would prefer to keep the customizations for each mailbox, the following Set-Mailbox command will add the new standard logs to each mailbox. This command will add (only) the new Standard logs for each mailbox, retaining any existing customization, but any future changes to the defaults will need to be added at that point: 

 

 

 

 

Set-Mailbox -Identity <MailboxIdentity> -AuditOwner @{add="MailItemsAccessed","Send" } -AuditAdmin @{add="MailItemsAccessed","Send"} -AuditDelegate @{add="MailItemsAccessed"} 

 

 

 

 

 

Enable Mailboxes for all Standard Users 

Every standard user mailbox should have AuditEnabled set to true to ensure all audit records are uploaded to Purview Audit. This step is not necessary for any users with an Audit Premium license assigned. Please note that this Set-Mailbox command must be run for every Standard license user regardless of its current value to correctly enable their mailbox to upload the new standard logs to Purview Audit. 

 

The following command will set AuditEnabled to true. 

 

 

 

 

Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true 

 

 

 

 

 

More information regarding the setup instructions for these commands and information regarding permissions can be found here. Detailed information regarding activating these new logs for Audit Standard users will be added in a future update to the Microsoft Purview Audit public documentation. 

 

We are pleased to share today’s cloud logging update as a continuation of the thoughtful conversations we’ve had with our security experts, customers, and influential authorities like CISA. Please visit the Public roadmap to get the latest information on updates coming to Microsoft Purview Audit.  

 

Updated Jun 13, 2024
Version 3.0
  • jracz's avatar
    jracz
    Copper Contributor

    FYI - the below is incorrect, it has the '@''s in the wrong place

     

    Set-Mailbox -Identity <MailboxIdentity> -AuditOwner {@Add="MailItemsAccessed","Send" } -AuditAdmin {@Add="MailItemsAccessed","Send"} -AuditDelegate {@Add="MailItemsAccessed"} 

     

     This is correct

     

    Set-Mailbox -Identity <MailboxIdentity> -AuditOwner @{Add="MailItemsAccessed","Send" } -AuditAdmin @{Add="MailItemsAccessed","Send"} -AuditDelegate @{Add="MailItemsAccessed"} 

     

     

     

    Also, it errors on adding the send event, but if I set to default it adds the send event. 

    "Send event is only available for users with appropriate license"

  • rpodric's avatar
    rpodric
    Bronze Contributor

    I assume that the check command was meant to be:

     

    Get-Mailbox -Identity <MailboxIdentity> fl DefaultAuditSet
  • jracz Thank you for pointing it out. We have corrected the '@' in the first command.

    The error on adding the Send event shouldn't happen once the change has been made to enable the new events for all users. But we'll look into this to confirm.

    Thank you!

  • rpodric Thank you for your comment, Brian. The check command should be fine as is.

    Did you mean 

    Get-Mailbox -Identity <MailboxIdentity> | fl DefaultAuditSet

    ? Without the “|” it’s not valid. 

    Get-Mailbox returns a set of properties. The additional part “| fl DefaultAuditSet” filters to the single property DefaultAuditSet and formats the value as a list.

  • N8TAN's avatar
    N8TAN
    Copper Contributor

    Is mailitemsaccessed is included in the Sentinel cloudappevents table and does this mean that it will slowly be moving out of the officeactivity table in Sentinel? My slight concern is that mailitemsaccessed is a high volume event and so wouldn’t want it logged twice.